You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For TypeScript analysis also consider reading about `static type information <https://help.semmle.com/QL/learn-ql/javascript/introduce-libraries-ts.html#static-type-information>`__ first.
16
14
17
15
18
16
The problem of recognizing method calls
19
17
---------------------------------------
20
18
21
-
We'll start with a simple model of the Firebase API and gradually build on it to use type tracking.
19
+
We'll start with a simple model of the `Firebase API<https://firebase.google.com/docs/reference/js/firebase.database>`__ and gradually build on it to use type tracking.
22
20
Knowledge of Firebase is not required.
23
21
24
22
Suppose we wish to find places where data is written to a Firebase database, as
@@ -129,7 +127,7 @@ Predicates that use type tracking usually conform to the following general patte
129
127
130
128
SourceNode myType(TypeTracker t) {
131
129
t.start() and
132
-
result = /* value to track */
130
+
result = /* SourceNode to track */
133
131
or
134
132
exists(TypeTracker t2 |
135
133
result = myType(t2).track(t2, t)
@@ -276,7 +274,7 @@ For reference, here's our simple Firebase model with type tracking on every pred
276
274
result = firebaseRef().getAMethodCall("set")
277
275
}
278
276
279
-
`Here <https://lgtm.com/query/1053770500827789481>`__ is a run of an example query using the model on one of the Firebase sample projects.
277
+
`Here <https://lgtm.com/query/1053770500827789481>`__ is a run of an example query using the model to find `set` calls on one of the Firebase sample projects.
280
278
It's been modified slightly to handle a bit more of the API, which is out of scope of this tutorial.
281
279
282
280
Tracking associated data
@@ -391,7 +389,7 @@ Based on that we can track the ``snapshot`` value and find the ``val()`` call it
391
389
392
390
With this addition, ``firebaseDatabaseRead("forecast")`` finds the call to ``snapshot.val()`` which contains the value of the forecast.
393
391
394
-
`Here <https://lgtm.com/query/8761360814276109092>`__ is a run of an example query using the model.
392
+
`Here <https://lgtm.com/query/8761360814276109092>`__ is a run of an example query using the model to find `val` calls.
395
393
396
394
Summary
397
395
-------
@@ -402,7 +400,7 @@ This covers the use of the type tracking library. To recap, use this template to
402
400
403
401
SourceNode myType(TypeTracker t) {
404
402
t.start() and
405
-
result = /* value to track */
403
+
result = /* SourceNode to track */
406
404
or
407
405
exists(TypeTracker t2 |
408
406
result = myType(t2).track(t2, t)
@@ -430,6 +428,13 @@ Use this template to define backward type tracking predicates:
430
428
result = myType(TypeBackTracker::end())
431
429
}
432
430
431
+
Note that these predicates all return ``SourceNode``,
432
+
so attempts to track a non-source node, such as an identifier or string literal,
433
+
will not work.
434
+
435
+
Also note that the predicates taking a ``TypeTracker`` or ``TypeBackTracker`` can often be made ``private``,
436
+
as they are typically only used as an intermediate result to compute the other predicate.
437
+
433
438
Limitations
434
439
-----------
435
440
@@ -453,15 +458,15 @@ This is an example of where `data flow configurations <https://help.semmle.com/Q
453
458
When to use type tracking
454
459
-------------------------
455
460
456
-
Type tracking and data flow configurations are essentally competing solutions to the same
461
+
Type tracking and data flow configurations are essentially competing solutions to the same
457
462
problem, each with their own tradeoffs.
458
463
459
464
Type tracking can be used in any number of predicates, which may depend on each other
460
465
in fairly unrestricted ways. The result of one predicate may be the starting
461
466
point for another. Type tracking predicates may be mutually recursive.
462
467
Type tracking predicates can have any number of extra parameters, making it possible, but optional,
463
468
to construct source/sink pairs. Omitting source/sink pairs can be useful when there is a huge number
464
-
of sources and the sinks are not known to the library model.
469
+
of sources and sinks.
465
470
466
471
Data flow configurations have more restricted dependencies but are more powerful in other ways.
467
472
For performance reasons,
@@ -487,6 +492,15 @@ Prefer data flow configurations when:
487
492
- Tracking values through string manipulation.
488
493
- Generating a path from source to sink -- see :doc:`constructing path queries <../writing-queries/path-queries>`.
489
494
495
+
Lastly, depending on the code base being analyzed, some alternatives to consider are:
496
+
497
+
- Using `static type information <https://help.semmle.com/QL/learn-ql/javascript/introduce-libraries-ts.html#static-type-information>`__,
498
+
if analyzing TypeScript code.
499
+
500
+
- Relying on local data flow.
501
+
502
+
- Relying on syntactic heuristics such as the name of a method, property, or variable.
0 commit comments